在 Azure Stack Hub 中准备扩展主机Prepare for extension host in Azure Stack Hub

扩展主机通过减少所需的 TCP/IP 端口数来保护 Azure Stack Hub。The extension host secures Azure Stack Hub by reducing the number of required TCP/IP ports. 本文讨论了为 Azure Stack Hub 准备扩展主机,扩展主机是通过 1808 更新之后的一个 Azure Stack Hub 更新程序包自动启用的。This article looks at preparing Azure Stack Hub for the extension host that is automatically enabled through an Azure Stack Hub update package after the 1808 update. 本文适用于 Azure Stack Hub 更新 1808、1809 和 1811。This article applies to Azure Stack Hub updates 1808, 1809, and 1811.

证书要求Certificate requirements

扩展主机实施了两个新的域命名空间来为每个门户扩展保证主机条目的唯一性。The extension host implements two new domain namespaces to guarantee unique host entries for each portal extension. 新的域命名空间需要两个额外的通配符证书来确保安全的通信。The new domain namespaces require two additional wildcard certificates to ensure secure communication.

下表显示了新的命名空间和关联的证书:The table shows the new namespaces and the associated certificates:

部署文件夹Deployment Folder 所需的证书使用者和使用者可选名称 (SAN)Required certificate subject and subject alternative names (SAN) 范围(按区域)Scope (per region) 子域命名空间Subdomain namespace
管理扩展主机Admin extension host *.adminhosting.<region>.<fqdn>(通配符 SSL 证书)*.adminhosting.<region>.<fqdn> (Wildcard SSL Certificates) 管理扩展主机Admin extension host adminhosting.<region>.<fqdn>adminhosting.<region>.<fqdn>
公共扩展主机Public extension host *.hosting.<region>.<fqdn>(通配符 SSL 证书)*.hosting.<region>.<fqdn> (Wildcard SSL Certificates) 公共扩展主机Public extension host hosting.<region>.<fqdn>hosting.<region>.<fqdn>

有关详细的证书要求,请参阅 Azure Stack Hub 公钥基础结构证书要求For detailed certificate requirements, see Azure Stack Hub public key infrastructure certificate requirements.

创建证书签名请求Create certificate signing request

使用 Azure Stack Hub 就绪性检查器工具可以为两个新的必需 SSL 证书创建证书签名请求。The Azure Stack Hub Readiness Checker tool lets you create a certificate signing request for the two new and required SSL certificates. 请按照 Azure Stack Hub 证书签名请求生成一文中的步骤进行操作。Follow the steps in the article Azure Stack Hub certificates signing request generation.

备注

你可以跳过此步骤,具体取决于你请求 SSL 证书的方式。You may skip this step depending on how you requested your SSL certificates.

验证新证书Validate new certificates

  1. 使用提升的权限在硬件生命周期主机或 Azure Stack Hub 管理工作站上打开 PowerShell。Open PowerShell with elevated permission on the hardware lifecycle host or the Azure Stack Hub management workstation.

  2. 运行以下 cmdlet 来安装 Azure Stack Hub 就绪性检查器工具:Run the following cmdlet to install the Azure Stack Hub Readiness Checker tool:

    Install-Module -Name Microsoft.AzureStack.ReadinessChecker
    
  3. 运行以下脚本来创建必需的文件夹结构:Run the following script to create the required folder structure:

    New-Item C:\Certificates -ItemType Directory
    
    $directories = 'ACSBlob','ACSQueue','ACSTable','Admin Portal','ARM Admin','ARM Public','KeyVault','KeyVaultInternal','Public Portal', 'Admin extension host', 'Public extension host'
    
    $destination = 'c:\certificates'
    
    $directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}
    

    备注

    如果使用 Azure Active Directory 联合身份验证服务 (AD FS) 进行部署,则必须在脚本中的 $directories 中添加以下目录:ADFSGraphIf you deploy with Azure Active Directory Federated Services (AD FS) the following directories must be added to $directories in the script: ADFS, Graph.

  4. 将现有的证书(目前在 Azure Stack Hub 中使用)置于相应的目录中。Place the existing certificates, which you're currently using in Azure Stack Hub, in appropriate directories. 例如,将 Admin ARM 证书置于 Arm Admin 文件夹中。For example, put the Admin ARM certificate in the Arm Admin folder. 然后,将新创建的托管证书置于 Admin extension hostPublic extension host 目录中。And then put the newly created hosting certificates in the Admin extension host and Public extension host directories.

  5. 运行以下 cmdlet 来启动证书检查:Run the following cmdlet to start the certificate check:

    $pfxPassword = Read-Host -Prompt "Enter PFX Password" -AsSecureString 
    
    Start-AzsReadinessChecker -CertificatePath c:\certificates -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com -IdentitySystem AAD
    
  6. 检查输出和所有证书是否通过所有测试。Check the output and if all certificates pass all tests.

导入扩展主机证书Import extension host certificates

使用可以连接到 Azure Stack Hub 特权终结点的计算机执行后续步骤。Use a computer that can connect to the Azure Stack Hub privileged endpoint for the next steps. 请确保可以从该计算机访问新的证书文件。Make sure you have access to the new certificate files from that computer.

  1. 使用可以连接到 Azure Stack Hub 特权终结点的计算机执行后续步骤。Use a computer that can connect to the Azure Stack Hub privileged endpoint for the next steps. 请确保可以从该计算机访问新的证书文件。Make sure you access to the new certificate files from that computer.

  2. 打开 PowerShell ISE 以执行接下来的脚本块。Open PowerShell ISE to execute the next script blocks.

  3. 导入用于管理托管终结点的证书。Import the certificate for the admin hosting endpoint.

    
    $CertPassword = read-host -AsSecureString -prompt "Certificate Password"
    
    $CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> -Message "Enter the cloud domain credentials to access the privileged endpoint."
    
    [Byte[]]$AdminHostingCertContent = [Byte[]](Get-Content c:\certificate\myadminhostingcertificate.pfx -Encoding Byte)
    
    Invoke-Command -ComputerName <PrivilegedEndpoint computer name> `
    -Credential $CloudAdminCred `
    -ConfigurationName "PrivilegedEndpoint" `
    -ArgumentList @($AdminHostingCertContent, $CertPassword) `
    -ScriptBlock {
            param($AdminHostingCertContent, $CertPassword)
            Import-AdminHostingServiceCert $AdminHostingCertContent $certPassword
    }
    
  4. 导入用于托管终结点的证书。Import the certificate for the hosting endpoint.

    $CertPassword = read-host -AsSecureString -prompt "Certificate Password"
    
    $CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> -Message "Enter the cloud domain credentials to access the privileged endpoint."
    
    [Byte[]]$HostingCertContent = [Byte[]](Get-Content c:\certificate\myhostingcertificate.pfx  -Encoding Byte)
    
    Invoke-Command -ComputerName <PrivilegedEndpoint computer name> `
    -Credential $CloudAdminCred `
    -ConfigurationName "PrivilegedEndpoint" `
    -ArgumentList @($HostingCertContent, $CertPassword) `
    -ScriptBlock {
            param($HostingCertContent, $CertPassword)
            Import-UserHostingServiceCert $HostingCertContent $certPassword
    }
    

更新 DNS 配置Update DNS configuration

备注

如果使用了 DNS 区域委派进行 DNS 集成,则此步骤不是必需的。This step isn't required if you used DNS Zone delegation for DNS Integration. 如果已配置了单独的主机 A 记录来发布 Azure Stack Hub 终结点,则需要创建两个额外的主机 A 记录:If individual host A records have been configured to publish Azure Stack Hub endpoints, you need to create two additional host A records:

IPIP 主机名Hostname 类型Type
<IP><IP> *.Adminhosting.<Region>.<FQDN>*.Adminhosting.<Region>.<FQDN> AA
<IP><IP> *.Hosting.<Region>.<FQDN>*.Hosting.<Region>.<FQDN> AA

可以通过运行 cmdlet Get-AzureStackStampInformation 使用特权终结点检索已分配的 IP。Allocated IPs can be retrieved using the privileged endpoint by running the cmdlet Get-AzureStackStampInformation.

端口和协议Ports and protocols

Azure Stack Hub 数据中心集成 - 发布终结点一文介绍了在推出扩展主机之前进行入站通信以发布 Azure Stack Hub 所需的端口和协议。The article Azure Stack Hub datacenter integration - Publish endpoints covers the ports and protocols that require inbound communication to publish Azure Stack Hub before the extension host rollout.

发布新的终结点Publish new endpoints

需要通过防火墙发布两个新的终结点。There are two new endpoints required to be published through your firewall. 可以使用以下代码从公共 VIP 池检索已分配的 IP,该代码必须通过 Azure Stack Hub 环境的特权终结点运行。The allocated IPs from the public VIP pool can be retrieved using the following code that must be run from your Azure Stack Hub environment's privileged endpoint.

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IpOfERCSMachine>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IpOfERCSMachine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Obtain DNS Servers and extension host information from Azure Stack Hub Stamp Information and find the IPs for the Host Extension Endpoints
$StampInformation = Invoke-Command $PEPSession {Get-AzureStackStampInformation} | Select-Object -Property ExternalDNSIPAddress01, ExternalDNSIPAddress02, @{n="TenantHosting";e={($_.TenantExternalEndpoints.TenantHosting) -replace "https://*.","testdnsentry"-replace "/"}},  @{n="AdminHosting";e={($_.AdminExternalEndpoints.AdminHosting)-replace "https://*.","testdnsentry"-replace "/"}},@{n="TenantHostingDNS";e={($_.TenantExternalEndpoints.TenantHosting) -replace "https://",""-replace "/"}},  @{n="AdminHostingDNS";e={($_.AdminExternalEndpoints.AdminHosting)-replace "https://",""-replace "/"}}
If (Resolve-DnsName -Server $StampInformation.ExternalDNSIPAddress01 -Name $StampInformation.TenantHosting -ErrorAction SilentlyContinue) {
    Write-Host "Can access AZS DNS" -ForegroundColor Green
    $AdminIP = (Resolve-DnsName -Server $StampInformation.ExternalDNSIPAddress02 -Name $StampInformation.AdminHosting).IPAddress
    Write-Host "The IP for the Admin Extension Host is: $($StampInformation.AdminHostingDNS) - is: $($AdminIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.AdminHostingDNS), Value: $($AdminIP)" -ForegroundColor Green
    $TenantIP = (Resolve-DnsName -Server $StampInformation.ExternalDNSIPAddress01 -Name $StampInformation.TenantHosting).IPAddress
    Write-Host "The IP address for the Tenant Extension Host is $($StampInformation.TenantHostingDNS) - is: $($TenantIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.TenantHostingDNS), Value: $($TenantIP)" -ForegroundColor Green
}
Else {
    Write-Host "Cannot access AZS DNS" -ForegroundColor Yellow
    $AdminIP = (Resolve-DnsName -Name $StampInformation.AdminHosting).IPAddress
    Write-Host "The IP for the Admin Extension Host is: $($StampInformation.AdminHostingDNS) - is: $($AdminIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.AdminHostingDNS), Value: $($AdminIP)" -ForegroundColor Green
    $TenantIP = (Resolve-DnsName -Name $StampInformation.TenantHosting).IPAddress
    Write-Host "The IP address for the Tenant Extension Host is $($StampInformation.TenantHostingDNS) - is: $($TenantIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.TenantHostingDNS), Value: $($TenantIP)" -ForegroundColor Green
}
Remove-PSSession -Session $PEPSession

示例输出Sample Output

Can access AZS DNS
The IP for the Admin Extension Host is: *.adminhosting.\<region>.\<fqdn> - is: xxx.xxx.xxx.xxx
The Record to be added in the DNS zone: Type A, Name: *.adminhosting.\<region>.\<fqdn>, Value: xxx.xxx.xxx.xxx
The IP address for the Tenant Extension Host is *.hosting.\<region>.\<fqdn> - is: xxx.xxx.xxx.xxx
The Record to be added in the DNS zone: Type A, Name: *.hosting.\<region>.\<fqdn>, Value: xxx.xxx.xxx.xxx

备注

请在启用扩展主机前进行此更改。Make this change before enabling the extension host. 这使得 Azure Stack Hub 门户持续可访问。This allows the Azure Stack Hub portals to be continuously accessible.

终结点 (VIP)Endpoint (VIP) 协议Protocol 端口Ports
管理员托管Admin Hosting HTTPSHTTPS 443443
HostingHosting HTTPSHTTPS 443443

更新现有的发布规则(在启用扩展主机后)Update existing publishing Rules (Post enablement of extension host)

备注

1808 Azure Stack Hub 更新包尚未启用扩展主机。The 1808 Azure Stack Hub Update Package does not enable extension host yet. 它让你通过导入所需的证书来准备扩展主机。It lets you prepare for extension host by importing the required certificates. 在通过 1808 更新之后的 Azure Stack Hub 更新包自动启用扩展主机之前,请不要关闭任何端口。Don't close any ports before extension host is automatically enabled through an Azure Stack Hub update package after the 1808 update.

在现有的防火墙规则中,必须关闭以下终结点端口。The following existing endpoint ports must be closed in your existing firewall rules.

备注

建议在成功验证后关闭这些端口。It's recommended to close those ports after successful validation.

终结点 (VIP)Endpoint (VIP) 协议Protocol 端口Ports
门户(管理员)Portal (administrator) HTTPSHTTPS 1249512495
1249912499
1264612646
1264712647
1264812648
1264912649
1265012650
1300113001
1300313003
1301013010
1301113011
1301213012
1302013020
1302113021
1302613026
3001530015
门户(用户)Portal (user) HTTPSHTTPS 1249512495
1264912649
1300113001
1301013010
1301113011
1301213012
1302013020
1302113021
3001530015
1300313003
Azure 资源管理器(管理员)Azure Resource Manager (administrator) HTTPSHTTPS 3002430024
Azure 资源管理器(用户)Azure Resource Manager (user) HTTPSHTTPS 3002430024

后续步骤Next steps